The evolution of technology and cyber security has to a significant extent resulted in both employees and individuals in their private capacity not being subjected to training in cyber security fundamentals. Given the pervasion of electronic and digital technology in both the professional and public lives of individuals around the world, it is surprising to note that cyber security is still largely seen as the responsibility of the dedicated and somewhat recluse Information Technology (IT) Department.
The IT landscape has shifted dramatically in the past five years leading to both corporate and commercial enterprises exploring new models for technology, such as cloud computing and mobility. The advent of the Fourth Industrial Revolution is further leading to technology increasingly being utilised and incorporated as a strategic endeavour that can directly accelerate growth.
However, it not solely business interests that are expanding – the abundance and sophistication of hackers, combined with greater reliance on interconnected applications, devices and systems (also referred to as the Internet of Things), is fostering the demand of creation of a cyber-security environment to evolve like never before.
Cyber-attacks do not only result in damage to data infrastructure and integrity, but can also result in reputational damage to an organisation resulting in a loss in business confidence and even result in financial damage.
At the same time, a penetrative data breach can further lead to the disclosure of confidential customer information.
Perhaps more threatening and striking prevalent to the operation and sustainability of corporate, commercial, government and individual cyber security is the pervasiveness of both witting insider threats and unwitting human error. The prevalence and diversity of threats makes it imperative that organisations timeously and proactively assess employees to identify abnormal behaviours and patterns of suspicious activity.
In terms of witting insider threats, employees may be coerced or threatened to disclose sensitive information or to deploy a logic bomb or contract workers may do the same to guarantee further employment. Verizon 2019 Data Breach Investigations found that 34% of all breaches in 2018 were caused by employees themselves, a gradual, yet significant increase from 25% in 2016 and 28% in 2017.
On the other end of the spectrum, unwitting human error by non-IT personnel are just as harrowing. Two months following the widely propagated WannaCry ransomware epidemic and vulnerabilities had been patched with an update from Microsoft; a significant number of companies around the world still had not updated their systems. Unwitting human error are further encapsulated by acts of user misuse or mistakes.
Hackers and cyber criminals are further known to utilise means of social engineering by deceiving end-users to divulge sensitive information, which even through hours of training and intellect, even the most seasoned of employees fall victim to.
Every organisation requires stringent security policies and procedures to clearly outline how diverse and social engineering threats based on realistic and industry-specific scenarios are being addressed. The policy should outline acceptable use of Information and Communications Technology (ICT) assets, and include sanctions for failure. Continuous and real-time simulation exercises, such as the utilisation of simulated phishing attacks, either to trick the user into revealing sensitive information or to download malware, assists employees in recognising both external and internal threats and build a stronger security-first culture.